How to Build a Best-in-Class Vulnerability Management Program

What is a vulnerability management program

Vulnerability management is widely described as the practice of identifying security vulnerabilities in unpatched systems that if exploited by adversaries, can put your entire enterprise environment at risk. Typically, vulnerability management is a foundational practice, and an integral part of any standard cybersecurity initiative. However, constantly changing device demographics and increasing sophistication in cyberattack techniques, including an increase in recent multi-pronged attacks, are challenging the existing vulnerability management practices.

In terms of vulnerability management, we often see the application of individual vulnerability scanners and projects in various parts of an organization. But the truly effective vulnerability management program operates at a higher level.

An effective vulnerability management program continually monitors, analyzes, and assesses risk, wrapping its arms around security weaknesses and shining a light on exposures that can negatively impact the enterprise.

With this expanded scope and visibility, the vulnerability management program needs to be supported from the C-Suite down, aligned with high-level strategies, and integrated with core elements of the business. The program should also include a steering committee that draws members from all parts of the organization, to ensure cross functional support and alignment. A well-run vulnerability management program is the foundation that supports the organization’s cybersecurity posture, agility, and cyber-resilience. It is also the infrastructure that makes truly great vulnerability management possible.

“Security-smart organizations have gone well beyond thinking just in terms of assessing and addressing vulnerability—now vulnerability management is a cornerstone of their corporate security, risk, and compliance programs.” – CSO Online

Limitations of Traditional Vulnerability Management Tools

While performing regular and ongoing scanning for unpatched vulnerabilities is a start in the right direction, it is woefully insufficient given the current breadth of attack surface and the pace of change in highly dynamic IT environment. Some of the fundamental limitations of vulnerability management solutions include:

  1. They take a rules-based approach and you can only scan for those vulnerabilities that you (or your vendor) has created rules for. Traditional tools are unable to learn new targets or attack methods themselves.
  2. These tools do not provide accurate and up-to-date IT asset inventory data. Do you know how many devices – managed, unmanaged, BYO, IoT, etc. – are plugged into your environment at this time? Do you have an inventory of all assets – users, apps, and devices? Do you know which of these assets are highly critical for your business and which ones are less important? How much of this information is provided by your vulnerability tool?
  3. Vulnerability tools typically only scan enterprise-owned managed IT assets. In modern enterprises today, the device demographics has changed dramatically with a proliferation of all kinds of assets including unmanaged, cloud-based, IoT and others.
  4. Scanning is episodic, with periodic point-in-time scans. These tools do not offer truly continuous, real-time scanning – in fact, once the scan stops, the security practitioner has to manually kick off another scan.
  5. Traditional vulnerability tools generally spew out a large number of vulnerabilities, and unless you are able to stay up-to-date with your patching (which organizations typically struggle with due to a number of reasons) chances are that your team is facing an ever-growing to-do list.

Four Key Elements in a Vulnerability Management Program and How They Work Together

Vulnerability Management Program Overview

So what are the key elements in a “great” vulnerability management program and how do they work together?

1. Vulnerability Assessment (weaknesses, risks, and exposures)

Effective vulnerability management starts with your ability to assess vulnerabilities. An effective vulnerability assessment program gives your organization the tools needed to understand its security weaknesses, assess the risks associated with those weaknesses, and put protections in place that reduce the likelihood of a breach. Conducted on a regular basis, these vulnerability assessments identify hazards, assess the likelihood of a security failure, and help you focus scarce resources on those things that matter most.

2. Vulnerability Management Tools (vulnerability scanners, deep learning, and AI)

As our understanding of security risk has matured, so have vulnerability management tools, which now support a continuous enterprise-wide lifecycle of vulnerability discovery, remediation, and reporting.

“A full-featured vulnerability management product or suite of products must be able to support, at minimum, a repeatable lifecycle of asset discovery and enumeration, vulnerability detection, risk assessment, configuration compliance assessment, change management and remediation, verification, and auditing and reporting.” CSO Online

Vulnerability scanning tools are the backbone of every vulnerability management program. They don’t just perform vulnerability and error detection; they also help with risk assessment based on the severity of the threat and the value of the vulnerable system to the organization. After remediation, re-scans will tell you if corrective actions have been successful (that is, a patch has been successfully applied or the configuration error corrected).

It’s also worth noting that while machine learning and AI are emerging technologies that can be applied to nearly every sector, there are many fields that are either reaping the benefits of AI right now or that soon will be and cybersecurity is one of them. Because of the unique challenges that cybersecurity presents (vast attack surface, hundreds of attack vectors, thousands of devices, masses of data), artificial intelligence and autonomous systems can often automate threat detection and respond more efficiently than traditional software-driven approaches are equipped to do.

3. Integration and Alignment (systems, processes, key stakeholders)

Vulnerability management is a top enterprise-wide priority, and as such, your vulnerability management program needs to be tightly integrated with your organization’s business-critical systems and processes. It needs to tie to vulnerability databases and also align with key stakeholders across the organization (not just in IT and infosec), as well as compliance and regulatory requirements. Risks can be lurking anywhere, so risk management needs to “have eyes and ears” covering the entire vulnerability landscape.

4. Agility (cyber-resilience and scale)

IT security is always going to be a moving target, which makes agility, cyber-resilience, and scale all major considerations. Is your vulnerability management program agile enough to keep your organization safe? Does it take into account business criticality and context? Do your security systems and related processes scale to meet an ever-evolving threat landscape? Are you cyber-resilient?

The number of IT assets that companies have in place is only going in one direction – up. More endpoint devices, servers, and applications are continually being added to the environment, and this puts increasing demands on IT to keep everything up to date. As the number of known vulnerabilities continues to rise, the amount of time between vulnerabilities being discovered and exploits is dropping. It becomes increasingly difficult to manage vulnerabilities effectively when there are hundreds, thousands, or even millions of assets to consider and very short windows of time to respond.

How to achieve best-in-class status for your vulnerability management programs

When it comes to vulnerability management, it’s important to aim high. Because the stakes are so critical, OK is not good enough; your vulnerability management program needs to strive for best in class.

As you architect your vulnerability management program, remember these key elements:

  1. Scope (what does it cover)
  2. Strategic importance (from C-suite down)
  3. Integration (with other key systems, stakeholders, and processes)

Once you’ve gotten that right, “the devil is in the details.” Ongoing vigilance (vulnerability scanning, mitigation, re-scanning) helps you stay ahead of emerging threats. Integration and discipline (well-defined and strongly enforced) help you sustain a strong security posture over time. And AI/machine learning can help you make sense of large amounts of data to obtain relevant insights, elevating your program to a whole new level.

The most successful programs manage to thread the needle between the big picture (enterprise-wide security) and every relevant detail (systems, organizations, processes) – detecting security issues and software vulnerabilities that can lead to exploitation and mitigating risk across the enterprise infrastructure.

Recommended Resources

Cyber Risk Quantification: A CISO Executive Guide
How to Calculate your Enterprise’s Breach Risk
9 Slides Every CISO Must Use in Their Board Presentation
9 Slides Every CISO Must Use in Their 2024 Board Presentation
Oerlikon case study
Case Study
Oerlikon Reduces Patch Time and Improves Management-Level Cyber Risk Visibility